diff options
author | Benjamin Peterson <benjamin@python.org> | 2014-06-15 01:36:29 (GMT) |
---|---|---|
committer | Benjamin Peterson <benjamin@python.org> | 2014-06-15 01:36:29 (GMT) |
commit | 73b8b1cdb8beb44069aad44c5358aca4904fc103 (patch) | |
tree | 136a1f1718bb052d553422a292f72295431d422e | |
parent | 49991deb6ecbd2c820863d212f143f107c046a26 (diff) | |
download | cpython-73b8b1cdb8beb44069aad44c5358aca4904fc103.zip cpython-73b8b1cdb8beb44069aad44c5358aca4904fc103.tar.gz cpython-73b8b1cdb8beb44069aad44c5358aca4904fc103.tar.bz2 |
url unquote the path before checking if it refers to a CGI script (closes #21766)
-rw-r--r-- | Lib/http/server.py | 2 | ||||
-rw-r--r-- | Lib/test/test_httpservers.py | 5 | ||||
-rw-r--r-- | Misc/NEWS | 3 |
3 files changed, 9 insertions, 1 deletions
diff --git a/Lib/http/server.py b/Lib/http/server.py index bcfe894..1f4d1bb 100644 --- a/Lib/http/server.py +++ b/Lib/http/server.py @@ -946,7 +946,7 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler): (and the next character is a '/' or the end of the string). """ - collapsed_path = _url_collapse_path(self.path) + collapsed_path = _url_collapse_path(urllib.parse.unquote(self.path)) dir_sep = collapsed_path.find('/', 1) head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:] if head in self.cgi_directories: diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py index f8198f8..bb75f78 100644 --- a/Lib/test/test_httpservers.py +++ b/Lib/test/test_httpservers.py @@ -461,6 +461,11 @@ class CGIHTTPServerTestCase(BaseTestCase): (res.read(), res.getheader('Content-type'), res.status)) self.assertEqual(os.environ['SERVER_SOFTWARE'], signature) + def test_urlquote_decoding_in_cgi_check(self): + res = self.request('/cgi-bin%2ffile1.py') + self.assertEqual((b'Hello World\n', 'text/html', 200), + (res.read(), res.getheader('Content-type'), res.status)) + class SocketlessRequestHandler(SimpleHTTPRequestHandler): def __init__(self): @@ -10,6 +10,9 @@ What's New in Python 3.2.6? Library ------- +- Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths + before checking for a CGI script at that path. + - Fix arbitrary memory access in JSONDecoder.raw_decode with a negative second parameter. Bug reported by Guido Vranken. |